Skip to content
Filter unwanted params from your controllers/actions in your Rails app. Provides param_protected and param_accessible analogous to ActiveRecord's attr_protected and attr_accessible. http://blog.stochasticbytes.com/2008/01/introducing-param_protected/
Ruby
Find file
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
lib
test
.gitignore
CHANGELOG
Gemfile
Gemfile.lock
LICENSE
README.rdoc
Rakefile
VERSION
init.rb
param_protected.gemspec

README.rdoc

Summary

This plugin provides two class methods on ActiveController::Base that filter the params hash for that controller's actions. You can think of them as the controller analog of attr_protected and attr_accessible.

Installation

Rails 2.3.x

gem install param_protected -v "~> 1.0.0"

Rails 3.0.x

gem "param_protected", "~> 2.0.0"

Thanks to jonleighton for the Rails 3 port.

Rails 3.1.x

gem "param_protected", "~> 3.0.0"

Thanks to gucki for the Rails 3.1 port.

Rails 3.2.x

gem "param_protected", "~> 4.0.0"

Usage

class YourController < ActiveController::Base
  param_protected <param_name> <options>
  param_accessible <param_name> <options>

  ...
end

param_name can be a String, Symbol, or Array of Strings and/or Symbols.

options is a Hash that has one of two keys: :only or :except. The value for these keys is a String, Symbol, or Array of Strings and/or Symbols which denotes to the action(s) for which params to protect.

Blacklisting

Any of these combinations should work.

param_protected :client_id
param_protected [:client_id, :user_id]
param_protected :client_id, :only => 'my_action'
param_protected :client_id, :except => [:your_action, :my_action]

Whitelisting

Any of these combinations should work.

param_accessible :client_id
param_accessible :[:client_id, :user_id]
param_accessible :client_id, :only => 'my_action'
param_accessible :client_id, :except => [:your_action, :my_action]

Nested Params

You can use combinations of arrays and hashes to specify nested params, much the same way ActiveRecord::Base#find's :include argument works.

param_accessible [:account_name, { :user => [:first_name, :last_name, :address => [:street, :city, :state]] }]
param_protected [:id, :password, { :user => [:id, :password] }]

Merging

If you call param_protected or param_accessible multiple times for an action or actions, then the protections will be merged. For example…

param_protected [:id, :user], :only => :some_action
param_protected [{ :user => [:first, :last] }, :password], :only => :some_action

Is equivalent to saying…

param_protected [:id, { :user => [:first, :last] }, :password], :only => :some_action

Credit: Moritz Heidkamp

Inheritance

Param protections will be inherited to derived controllers.

Credit: Moritz Heidkamp

Conditions

You can conditionally protect params…

param_protected :admin, :unless => "user_is_admin?"
param_accessible :admin, :if => :user_is_admin?
param_protected :admin, :unless => Proc.new{ |controller| controller.user_is_admin? }

Credit: Mortiz Heidkamp

Regular Expressions

You can use regular expressions when specifying which params to make protected or accessible.

param_accessible /item\d/

Credit: Mortiz Heidkamp

How does it work?

It does an alias_method_chain on ActionController::Base#params that filters (and caches) the params. You can get the unfiltered, pristine params by calling ActionController::Base#params_without_protection.

Original Author

Christopher J. Bottaro - cjbottaro

Contributors

Moritz Heidkamp - DerGuteMoritz

Jon Leighton - jonleighton

Corin Langosch - gucki

Something went wrong with that request. Please try again.